Friday 24 August 2012

Do ARP RFC Requires validatation of Source Ip address ?

ARP is defined in RFC 826.The ARP packet size is 28 bytes. The EtherType for ARP is 0x806. Packet format for IPV4 is :
ARP header :

Hardware type (HTYPE) : 2 byte
    This field specifies the network protocol type. Example: Ethernet is 1.

Protocol type (PTYPE) : 2byte
     For IPv4, this has the value 0x0800

Hardware length (HLEN) : 1 byte
    Length (in octets) of a hardware address. Ethernet addresses size is 6.

Protocol length (PLEN) : 1 byte
      IPv4 address size is 4.

Operation  : 2 byte
     1 for request, 2 for reply.

Sender hardware address (SHA) : 4 byte
     Source mac address

Sender protocol address (SPA) : 6 byte
     Source Ip address

Target hardware address (THA) : 4 byte
         ( o.o.o.o for request, in reply (destination mac of target)

Target protocol address (TPA) : 6 byte
    Destination Ip address


Do you know that RFC 826 does not talk about source MAC validation. So if you send ARP request with  ARP header source MAC address as , the windows and Linux PC will accept it , as it is and update the arp table. Dont trust me test it.

How do you send these packets, use Colasoft packet builder .

Windows :

Linux :

So why this is not done ? Well if you check in routers/ switches like in Cisco, Juniper they have separate commands to handle this. Something called "arpspoof", using this you can enable the validations.

Why in Linux it is not done ? Well its open source .....and Windows  ?  Well they do what they think is correct !!!!

Please check in your companies router/switches if it is done or not ?

Keep Learning, Keep Breaking !!!